Bootcamp
Shehzad Mirza Director of Operations [email protected] [email protected] DMARC Reporting & Analysis: What Happens Next 3 DMARC DNS TXT Record
• Basic: Host: _dmarc.
• Complex: Host: _dmarc.
5 1
2 3 4
6
7
5 DMARC Reports
• DMARC generates two types of reports: • Aggregate • Forensic
6 Forensic/Failure Reports (ruf tag) • Number of reports is dependent on amount of email sent • Reports will provide insight as to which messages were marked as suspicious • Concerns with privacy
7 Sample Forensic/Failure Report
8 Aggregate Reports (rua tag) • Reports sent in XML format to email of choice (can be sent to multiple addresses) • Number and length of reports is dependent on amount of email sent • Allows for: • IT staff to correct any issues with valid messages being dropped by the policy • Visibility into which systems are sending email using org’s domain name (authorized and unauthorized sending IP addresses)
9 quarantine
11 DMARC Pass/Fail
FROM: Domain DKIM DKIM Alignment SPF SPF Alignment DMARC company.com Pass Aligned - company.com Pass Aligned - company.com Pass company.com Pass Unaligned - domain.com Pass Aligned - company.com Pass company.com Pass Aligned - company.com Pass Unaligned - domain.com Pass company.com Fail Unaligned - domain.com Fail Unaligned - domain.com Fail company.com Fail Unaligned - domain.com Pass Aligned - company.com Pass company.com Pass Aligned - company.com Fail Unaligned - domain.com Pass
12 SPF Alignment Pass: From: [email protected] Return-Path:
Fail: From: [email protected] Return-Path: < [email protected] > Received-SPF: pass (google.com: domain of bounce-mc.us15_71628198.660451- [email protected] designates 205.201.133.58 as permitted sender) client-ip=205.201.133.58;
To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain). 13 SPF Alignment
14 DKIM Alignment Pass: Message Header: From: [email protected] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalcyberalliance.org; s=gca; h=mime-version:references:in-reply- to:from:date:message-id:subject:to :cc;
Fail: Message Header: From: [email protected] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail8.mcsignup.com; s=default; h=mime-version:references:in-reply- to:from:date:message-id:subject:to :cc;
15 What to look for
DKIM Issues
DKIM and SPF Issues
16 Possible Spoofing
17 Spoofing?
18 DMARC Service Providers
19 “Free” Options • UK National Cyber Security Centre - https://github.com/ukncsc/mail-check • St. Louis County - https://github.com/wwalker0307/ElasticMARC • Valimail Monitor - https://go.valimail.com/microsoft.html • parsedmarc - https://github.com/domainaware/parsedmarc
• XML to Human Converters (best if small number of reports are received) • Dmarcian - XML Uploader
• DMARC analyzers (limited capabilities) • Postmark - https://dmarc.postmarkapp.com/ • MXTOOLBOX - https://mxtoolbox.com/dmarcsetup
• 3rd Party tools • LinkedIn LaFayette - https://github.com/linkedin/lafayette/ • SendGrid DMARC Parser - https://github.com/thinkingserious/sendgrid-python-dmarc-parser • Yahoo’s DMARC Report Processor - https://github.com/prbinu/dmarc-report-processor • Additional resources are available on DMARC.org’s Code and Library page 20 • By default you can not send reports to external “External domains Destination • To send to external domains, receiving end must Verification” create following in DNS: Name:
• Example: • gotdmarc.com._report._dmarc.gotdmarc.org
21 DMARC Reports and GDPR
• Forensic reports – privacy concern • Failure reports should be redacted • Reports only send to the email addresses defined in the DMARC policy • Provides visibility into all services that are sending email in your name
22 What Next?
• Review Reports • Adjust SPF and DKIM as needed
• Move to Quarantine/Reject • Continue to review reports • Adjust SPF and DKIM as needed when new mail services are added
23 Week 5 Bootcamp Wrap-up & Additional Email Security Protocols June 2nd Additional Resources
• DMARC.org (http://www.dmarc.org) - Great source for DMARC information
• GCA DMARC - https://dmarc.globalcyberalliance.org
• GCA Community forum – https://community.globalcyberalliance.org
• Bootcamp resources: https://dmarc.globalcyberalliance.org/dmarc- bootcamp/
25 Q&A Thank You!
Shehzad Mirza [email protected] [email protected]
Copyright @ 2020 Global Cyber Alliance